An urgent update to the ION network has been released. The ION Core Developers have teamed up with developers in the ION community to successfully identify and fix a vulnerability. The exploit allowed an attacker to manipulate the Proof of Stake block forming process to gain a significant advantage.

The attacker was able to submit blocks at an increased acceptance rate — more frequently than the 64 second block time specification should allow — leading to excessive block production as observed on the ION blockchain over the previous few weeks. The update closes the vulnerability and rolls back the block count, thereby nullifying most of the ill gotten gains.

A powerful partnership: ionomy developers and ION community developers
The update process highlights an important step in the evolution of ION development. Initially, ionomy.com held primary authorship over the ION codebase. Over the last couple of months, ionomy has brought on additional permanent developers to work on ION. Several weeks before the attack, talented developers, who are members of the ION community, took the initiative to team up with the ionomy.com devs to upgrade the code base. Over the past weeks, the combined ION developer team started work in an independent community driven repository.

Leading edge technology
The ionomy Team developers and ION community developers rallied in response to the attack. Their dedication and energy drove a complete and rapid integration of the significant work they had already accomplished before the attack. The result is not a superficial fix, but a significant step forward that brings ION in line with Bitcoin 14, significantly advancing ION along its development roadmap.

Hard fork and rollback
This update is a consensus change — a hard fork — and wallets must be updated immediately. The blockchain was forked at Block 176500 (Thursday, June 22, 2017 6:33:04 PM GMT). Transactions that occurred after that block on the attacked fork will not register on the new fork. This rollback prevents the attacker from continuing the attack and nullifies the majority of the ill gotten gains.

Attack mechanism
The attacker submits blocks with a timestamp in the past and in the future, lowering the difficulty. As the difficulty algorithm adjusts, another stream of prepared blocks is injected, further suppressing difficulty.

Code vulnerability:

  • Like many altcoins, much of ION’s core code is derived from code developed for other coins. ION adopted parameters from a source coin that had much longer block times. The window for acceptance of blocks with future timestamps and past timestamps made sense in the context of the source coin, but form an exaggerated vulnerability in the ION blockchain which confirms blocks at a much higher rate (nearly 64 seconds per block).

  • The ION network accepted blocks submitted by clients who have set their system time 4 hours in the future or in the past.

  • This is in fact the case with many altcoins. The chains have blocktimes of 1 minute (or similar), yet allow blocks to be submitted by clients with system clocks set 4 hours in the future or in the past.
    The block timing algorithm re-targets difficulty based on only the last block making it vulnerable to manipulation through transient efforts that require low investment.

Improved security
The new code protects ION from this attack by:

With this new code base in current bitcoin specifications, ION now participates in leading edge technology. The current release allows ION to benefit from the improvements that bitcoin developers have achieved in recent years, including fixes to the “time warp bug” described above. The move also makes the build process more reliable and consistent through self-correcting mechanisms like checking for missing dependencies.

The new wallet update is available at: https://github.com/ionomy/ion/releases

Update immediately to ensure your client is on the correct chain as soon as possible.

Update instructions for your specific OS can be found at ionomy support

As always, if you have any questions or need assistance please contact support at [email protected]

The combined ionomy Developer Team and ION Community Developer Team is already working on the next update. ION users should expect another release within about a month, so be sure to check your email and news.ionomy.com for ongoing announcements.

Regards,
The ionomy team